Hi,
I'm using the refint overlay with a few attributes, but I can't get it to work with krbPwdPolicyReference from MIT kerberos 1.7. I get the error from the subject when deleting the entry this attribute references.
If, however, I *rename* the entry, the krbPwdPolicyReference attribute gets updated correctly. It seems to fail only when I remove the entry.
This is the config: dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config objectClass: olcRefintConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: krbObjectReferences olcRefintAttribute: member olcRefintAttribute: krbPwdPolicyReference olcRefintNothing: cn=localroot,cn=config
This is the entry which has the attribute pointing to the entry I will remove (some attributes omitted for brevity): dn: krbPrincipalName=andreas@EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos Realms,dc= example,dc=com krbPrincipalName: andreas@EXAMPLE.COM objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux krbObjectReferences: uid=andreas,ou=people,dc=example,dc=com krbPwdPolicyReference: cn=default,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example ,dc=com
This is the entry I'm deleting. I would expect the krbPwdPolicyReference attribute from my entry above to be deleted. If I rename this cn=default, then krbPwdPolicyReference gets updated correctly. dn: cn=default,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example,dc=com cn: default objectClass: krbPwdPolicy krbMaxPwdLife: 36000 krbMinPwdLife: 0 krbPwdMinDiffChars: 1 krbPwdMinLength: 1 krbPwdHistoryLength: 1
These are the relevant logs (level 16383): Oct 7 16:55:33 maestro slapd[6381]: refint_search_cb <NOTHING> Oct 7 16:55:33 maestro slapd[6381]: ==> unique_modify <krbPrincipalName=andreas@EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example,dc=com> Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: ndn: "krbPrincipalName=andreas@EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: oc: "(null)", at: "(null)" Oct 7 16:55:33 maestro slapd[6381]: bdb_dn2entry("krbPrincipalName=andreas@EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com") Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: found entry: "krbPrincipalName=andreas@EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: bdb_entry_get: rc=0 Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: ndn: "krbPrincipalName=andreas@EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: oc: "(null)", at: "(null)" Oct 7 16:55:33 maestro slapd[6381]: bdb_dn2entry("krbPrincipalName=andreas@EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com") Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: found entry: "krbPrincipalName=andreas@EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: bdb_entry_get: rc=0 Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: ndn: "cn=default,ou=password policies,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: oc: "(null)", at: "(null)" Oct 7 16:55:33 maestro slapd[6381]: bdb_dn2entry("cn=default,ou=password policies,dc=example,dc=com") Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: found entry: "cn=default,ou=password policies,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: bdb_entry_get: rc=0 Oct 7 16:55:33 maestro slapd[6381]: hdb_modify: krbPrincipalName=andreas@EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example,dc=com Oct 7 16:55:33 maestro slapd[6381]: bdb_dn2entry("krbPrincipalName=andreas@EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com") Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: 0x00000042: krbPrincipalName=andreas@EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example,dc=com Oct 7 16:55:33 maestro slapd[6381]: <= acl_access_allowed: granted to database root Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: delete krbPwdPolicyReference Oct 7 16:55:33 maestro slapd[6381]: dnMatch 0#012#011"cn=default,cn=example.com,ou=kerberos realms,dc=example,dc=com"#012#011"cn=default,cn=example.com,ou=kerberos realms,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: replace modifiersName Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: delete krbPwdPolicyReference Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: 16 modify/delete: krbPwdPolicyReference: no such attribute Oct 7 16:55:33 maestro slapd[6381]: hdb_modify: modify failed (16) Oct 7 16:55:33 maestro slapd[6381]: send_ldap_result: conn=-1 op=0 p=0 Oct 7 16:55:33 maestro slapd[6381]: send_ldap_result: err=16 matched="" text="modify/delete: krbPwdPolicyReference: no such attribute" Oct 7 16:55:33 maestro slapd[6381]: refint_repair: dependent modify failed: 16
Any hints?